Skip to main content

Some SSL Certificate providers are more equal than others

Some SSL certificates are more equal than others

Earlier this year Ionos (previously 1&1 in the UK) announced that they were changing their partner from Digicert to Sectigo issuing certificates to secure your website.

“Certificates are the backbone of secure online interactions, particularly for SMEs navigating today’s digital-first economy,” said Achim Weiss, CEO of IONOS. “Sectigo’s unmatched technical excellence and reliability align perfectly with our mission to empower businesses with superior digital security solutions. Together, we’re strengthening our customers’ ability to thrive in an increasingly connected world.”

https://www.ionos.co.uk/newsroom/news/ionos-partners-with-sectigo-to-redefine-digital-security-for-over-6-million-customers

Background

Ionos' previous partner DigiCert is jointly owned by private equity firms Clearlake Capital Group and TA Associates. These two firms became equal partners in DigiCert in 2019 after making a strategic investment in the company.  

According to Ionos website, Sectigo was formerly known as Comodo CA (Certification Authority). However, in  October 2017, another private equity company, Francisco Partners acquired Comodo Certification Authority (Comodo CA) from Comodo Security Solutions, Inc. Francisco Partners rebranded Comodo CA in November 2018 to Sectigo.

Installation

SSL certificates are usually renewed every year. I have recently switched a couple of my domains to the new certificate being offered by Ionos. In spite of some issues with Ionos' allocation of certificates based on contracts rather than domains, I eventually managed the switch over to the new Sectigo certificates fairly seamlessly. 

Here is a screenshot showing  the newly installed "valid" certificate.

Validated Sectigo Certificate

Issues

At the time I was able to validate the new certificate in my web browser and everything seemed to be working as before. However over a few weeks I did notice some erratic behaviour with the website. This included:

  1. Website monitoring appeared broken (360 monitoring)
  2. Posts on X  inconsistently displaying any meta data or not unfurling to display twitter meta data
  3. Posts on Slack not unfurling and displaying correct meta data
  4. Fonts not loading when creating pdf's of webpages

I was experiencing the same behaviour for at least 2 sites, both of which had their SSL certificates recently renewed. A third site, that was also renewed, used a more robust LetsEncrypt certificate (for web traffic (more robust at handling traffic forwarded from another top level domain) seemed unaffected. 

Investigation

My first thought was there was an issue with the metadata. I spent some time reviewing the use of the Drupal's Metatag module and even made some small progress on a previously reported bug. However I could not really see any change here that could have caused the unfurling to just stop working.

My breakthrough came when I decided to validate my HTML to see if there were any issue with the markup that could be causing an issue using the W3C HTML validator. Rather than copy and pasting the markup from your site there is now an option to point it at your site or web page. I received the error:

"Certificate Verify Failed"

Here is one screenshot:

W3C validation Error

Bingo. In hind sight I probably should have realised that there was a problem with the new certificate. When inspecting via a web browser or even a curl request, the certificate seemed fine, but when calling via various api's, (w3c validator, 360 monitoring, X and Slack), it appeared the new SSL certificate could be verified and a 500 server error is shown.

I contacted Ionos to see if anyone else was experiencing similar issues. I explained the issues I was having but they denied there was any issue with the certificate and suggested the issue with unfurling was probably caused by my website not having the correct meta data! It's mad that I am paying them for this advice!

Workaround

I was simply able to quickly install a LetsEncrypt certificate rather than the supplied Sectigo certificate in order to enable various API's to be able to access my site on a consistent basis. At which point all the affected apis previously mentioned were able to reach my site(s).

Summary

After switching from a valid Digicert to Sectigo Certificate, it appears to me that the 2 are not equal. That is many API's seem to fail with validating the new certificate that can make your site unreachable. This is not immediately obvious as it can also be iractic. e.g. Sometimes it does seem to be able to connect. While it is possible that something has gone awry with the set up and installation of these valid certificates, it also possible that they simply do no work as intended for a number of high profile API's.

 

 

 

Tags:

Add new comment

About text formats

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.